I want to retrieve data from an applications back-end. I have to send the user's email via an API request from the front-end website in order to do this.
Is it good practice to send the user email in a GET request or a POST request? More specifically, is it good practice to not include a users email as a URL parameter because you don't want some other third party to see it?
Thanks
You'll absolutely want to make use of POST requests rather than GET requests for querying email addresses, as GET requests should never be used for sending sensitive information.
Bearing that in mind, you also have to take into consideration what you're doing with your endpoint to begin with. If you're simply requesting public information about an email address (such as resolving the server name or IP), then perhaps a GET request would suffice.
Keep in mind you cannot pass any authorisation headers with a GET request, so if you're querying something like whether the email address in question has a registered account on your website, anyone would be able to find out your user's email addresses by spamming requests until they got a 200 response (thus validating a registered email). And knowing a valid user's email address could serve as an attack vector at a later stage.
In short, you most likely want POST. Only use GET if you're purely querying information about the domain that the email is hosted on.
Well, POST-request is better for hiding GET-params from logs.
The best you could do - is encrypt data being transferred. You can use POST-request with SSL-encryption and it will be good enough for regular systems.
Related
I have site where people can send posts (Wordpress based website). Each post have a form which anyone can use to send email to the author of the post. I think at some point there might be heavy traffic on site and that could mean hundreds and hopefully thousands emails leaving from different posts pages per day. What should i take account that the emails don't get attached to spam filters? Or should I use some 3rd party system for this?
One thing that I usually do by default is add a TEXT record to my DNS (SPF Record) indicating that this server is an authorized sender for my domain.
If the server is on the same network as your mail server, you can relay the mail through your mail server.
If the mail server is not on the same network, you could sent the mail through SMTP.
Make a reputation system of your site users ( like stackoverflow for example) and give mail power just to those that managed to get a number of points ( or whatever you will use for reputation). This way, at least, you won't get abused by spammers. Moreover, if someone abuse his power, you can "ban" him from sending emails.
About spam filters, if you have a dedidated server, could use your local smtp with some antispam solution instaled, to drop those messages that are spammy, to stop them at the source.
Also, use SPF and DKIM but those won't ensure that your mails won;t end up in trash, just protects your identify as mail sender, and others can't impersonate you.
I am using facebook on my website to send requests. (like a multi friend selector)
I am using the a basic method in fb documentation as
https://www.facebook.com/dialog/apprequests?app_id=APP_ID&message=Facebook%20Dialogs%20are%20so%20easy!&redirect_uri=http://localhost/mysite/newpage.aspx
It works and sends requests and I get the id'd of the users requests are sent to.
Now, How do I get their email address ?
I would like to store both facebook id and email addresses of all the people requests are sent to.
In fact, it would be of great help if I can get some basic details like email, first and last name, facebook profile picture etc., for all those ids.
I am using asp.net. Please try to answer in that.
That's simply not possible - there's no way the Facebook Graph API would expose Email-addresses of friends! (you can of course access the email-address of the current user when authorizing with the "email"-extended permission).
As for the other basic details - yeah, firstname, lastname & profile picture are publicly available, just query https://graph.facebook.com/USERID?fields=first_name,last_name,picture. You should consider using Batch-Requests if you want to query lots of different persons in one go.
When a customer signs up for a site, we want to let them know whether a username/email is available for use.
We have a httphandler that serves the purpose of feeding a jquery script that showsthe customer whether or not their desired username/email is available.
The question is:
The service can clearly be seen being called when you view the request in fiddler.
It shows /emlhandler.asmx?name=xxxxxxxxxxx#yyy.com
From the handler, a simple 0 or 1 is returned to indicate whether or not the name/address is available.
My concern is that this seems like a major security issue that would be very easy for an inexperienced person to exploit to discover all the users on the site.
So friends, how do you protect your site info and still allow the ajax callback to provide a great user experience?
Thanks.
Heath
You are being slightly paranoid here. Every site that allows user registration has to do something similar. One thing you can reasonably do is add a slight delay (maybe 2 or 3 seconds) to the handler's processing in order to reduce the likelihood or ease of a brute-force attack. Frankly, I don't think anyone would bother.
Another option is just to ignore repeated emails and send a verification email before a user's registration actually becomes active. If a new user attempts to use an existing email, the original email owner receives the verification and can cancel or ignore it. But I don't recommend this.
I'd say the vast majority of the sites I've used will just immediately say "this email address is already registered... did you forget your password?" Just knowing an email address is already in use on a given site does not in itself represent a security breach.
One possible solution would be to only enable POST requests for that method.
And since you cannot invoke services from JavaScript from another domain (XSS - Cross-site Scripting) without your authorization, then you would be protected.
However this technique would prevent malicious users from calling your web service to discover user names but this wouldn't prevent the user to automate a process to simulate user entering data in a text box to force a call to the service, in that case, perhaps you could allow just a number of requests per user in an X amount of time.
You could keep track of the number of attempts using the Session object from your web service
Another approac would be to add a re Captcha to your site, however this would decrease the level of responsiveness if you used to allow your users to capture a user name and as soon as they write you call your service. Implementing would require your users to write the auto-generated captcha in order to submit your data
I have my little web application, with simple registration strategy - provide email and password and you are done.
Recently bot's starting to attack my application, registering big number of users from non existent emails using the same passwords.
I want to prevent that. My idea is to extend login verification, but check the existance of email address. Do you know any web services (prefereably WCF) that could do that?
This is definitely not the way to solve this problem. Try one of these
Allow user to enter only username and send auto-generated password to their email.
Send a verification link to the user email and approve him/her only after verification
This has been discussed on How to check if an email address exists without sending an email? . Basically there are ways verify email addresses, but in practice none of them is reliable. However, you can still check via SMTP, and if the server denies the existence of the expected user, send him an email with a verification link anyway. This does not prevent spammers from setting up fake servers that acknowledge the existence of any user, of using other peoples email addresses, but it's probably the closest you can get to your initial requirement of having no verification email.
I would recommend you to update your registration form. Try to use something tricky for bots. For example, post the form via AJAX with JSON object wrapper.
Try a service like: http://elasticemail.com/
You can use the api to check if the email was delivered. There is also a 'bouce list' you can check.
my friend and I were thinking of a Web idea and ran into an issue:
We can't allow the email address to be sitting in a database with its associated data, in the case of a hacker obtaining the database. We'd like to ensure the email address and its associated data can never be linked, but then on the other hand we also need to keep them linked somehow so we can send users email notifications E.T.C
Can anyone think or know of a way around this? (.NET, Umbraco)
Thanks!
Have 2 databases, one with users + data + user id, another with user id + email. Secure them both, if one gets discovered, the other one might not be.
In any case you are asking us to prove falsity. ^^
I can't think of a way to link user data with emails without actually linking user data with emails. However, it would be possible to not have the email address stored and linked in a database if you could live with only having their email address when the user is logged in.
You could require users to log in using their email address and password as many sites do, but you could store a one way hash of the email address (such as sha1(email+password) ) rather than the address itself. When the user logs in successfully, you can store their email address in their session without ever having to get it from the database. You could then send them emails until you destroy their session. This would prevent an attacker from connecting their data to their email without brute forcing the hashes or grabbing the session information from memory or user cookies depending on how you store it.
Unfortunately, this wouldn't allow you to send notification emails.